func (m *VirtualStorage) confirmNoEscalation(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error {
modifyingRole, err := m.getReferencedRole(roleBinding.RoleRef)
if err != nil {
return err
}
ruleResolver := rulevalidation.NewDefaultRuleResolver(
m.PolicyRegistry,
m.BindingRegistry,
m.ClusterPolicyRegistry,
m.ClusterPolicyBindingRegistry,
)
ownerLocalRules, err := ruleResolver.GetEffectivePolicyRules(ctx)
if err != nil {
return err
}
masterContext := kapi.WithNamespace(ctx, "")
ownerGlobalRules, err := ruleResolver.GetEffectivePolicyRules(masterContext)
if err != nil {
return err
}
ownerRules := make([]authorizationapi.PolicyRule, 0, len(ownerGlobalRules)+len(ownerLocalRules))
ownerRules = append(ownerRules, ownerLocalRules...)
ownerRules = append(ownerRules, ownerGlobalRules...)
ownerRightsCover, missingRights := rulevalidation.Covers(ownerRules, modifyingRole.Rules)
if !ownerRightsCover {
user, _ := kapi.UserFrom(ctx)
return fmt.Errorf("attempt to grant extra privileges: %v\nuser=%v\nownerrules%v\n", missingRights, user, ownerRules)
}
return nil
}
func TestAuthenticateRequest(t *testing.T) {
success := make(chan struct{})
contextMapper := api.NewRequestContextMapper()
auth, err := NewRequestAuthenticator(
contextMapper,
authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
return &user.DefaultInfo{Name: "user"}, true, nil
}),
http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
t.Errorf("unexpected call to failed")
}),
http.HandlerFunc(func(_ http.ResponseWriter, req *http.Request) {
ctx, ok := contextMapper.Get(req)
if ctx == nil || !ok {
t.Errorf("no context stored on contextMapper: %#v", contextMapper)
}
user, ok := api.UserFrom(ctx)
if user == nil || !ok {
t.Errorf("no user stored in context: %#v", ctx)
}
close(success)
}),
)
auth.ServeHTTP(httptest.NewRecorder(), &http.Request{})
<-success
empty, err := api.IsEmpty(contextMapper)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !empty {
t.Fatalf("contextMapper should have no stored requests: %v", contextMapper)
}
}
// GetEffectivePolicyRules returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of
// PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations
// can be made on the basis of those rules that are found.
func (a *DefaultRuleResolver) GetEffectivePolicyRules(ctx kapi.Context) ([]authorizationapi.PolicyRule, error) {
roleBindings, err := a.GetRoleBindings(ctx)
if err != nil {
return nil, err
}
user, exists := kapi.UserFrom(ctx)
if !exists {
return nil, errors.New("user missing from context")
}
errs := []error{}
rules := make([]authorizationapi.PolicyRule, 0, len(roleBindings))
for _, roleBinding := range roleBindings {
if !appliesToUser(roleBinding.Users(), roleBinding.Groups(), user) {
continue
}
role, err := a.GetRole(roleBinding)
if err != nil {
errs = append(errs, err)
continue
}
for _, curr := range role.Rules() {
rules = append(rules, curr)
}
}
return rules, kerrors.NewAggregate(errs)
}
func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attributes {
attribs := authorizer.AttributesRecord{}
ctx, ok := r.requestContextMapper.Get(req)
if ok {
user, ok := api.UserFrom(ctx)
if ok {
attribs.User = user
}
}
attribs.ReadOnly = IsReadOnlyReq(*req)
apiRequestInfo, _ := r.apiRequestInfoResolver.GetAPIRequestInfo(req)
// If a path follows the conventions of the REST object store, then
// we can extract the resource. Otherwise, not.
attribs.Resource = apiRequestInfo.Resource
// If the request specifies a namespace, then the namespace is filled in.
// Assumes there is no empty string namespace. Unspecified results
// in empty (does not understand defaulting rules.)
attribs.Namespace = apiRequestInfo.Namespace
return &attribs
}
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
if err := rest.BeforeCreate(projectrequestregistry.Strategy, ctx, obj); err != nil {
return nil, err
}
projectRequest := obj.(*projectapi.ProjectRequest)
if _, err := r.openshiftClient.Projects().Get(projectRequest.Name); err == nil {
return nil, kapierror.NewAlreadyExists("project", projectRequest.Name)
}
projectName := projectRequest.Name
projectAdmin := ""
if userInfo, exists := kapi.UserFrom(ctx); exists {
projectAdmin = userInfo.GetName()
}
template, err := r.getTemplate()
if err != nil {
return nil, err
}
for i := range template.Parameters {
switch template.Parameters[i].Name {
case ProjectAdminUserParam:
template.Parameters[i].Value = projectAdmin
case ProjectDescriptionParam:
template.Parameters[i].Value = projectRequest.Description
case ProjectDisplayNameParam:
template.Parameters[i].Value = projectRequest.DisplayName
case ProjectNameParam:
template.Parameters[i].Value = projectName
}
}
list, err := r.openshiftClient.TemplateConfigs(kapi.NamespaceDefault).Create(template)
if err != nil {
return nil, err
}
if err := utilerrors.NewAggregate(runtime.DecodeList(list.Objects, kapi.Scheme)); err != nil {
return nil, err
}
bulk := configcmd.Bulk{
Mapper: latest.RESTMapper,
Typer: kapi.Scheme,
RESTClientFactory: func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
return r.openshiftClient, nil
},
}
if err := utilerrors.NewAggregate(bulk.Create(&kapi.List{Items: list.Objects}, projectName)); err != nil {
return nil, err
}
return r.openshiftClient.Projects().Get(projectName)
}
// Validate validates a new image stream.
func (s Strategy) Validate(ctx kapi.Context, obj runtime.Object) fielderrors.ValidationErrorList {
stream := obj.(*api.ImageStream)
user, ok := kapi.UserFrom(ctx)
if !ok {
return fielderrors.ValidationErrorList{kerrors.NewForbidden("imageStream", stream.Name, fmt.Errorf("unable to update an ImageStream without a user on the context"))}
}
errs := s.tagVerifier.Verify(nil, stream, user)
errs = append(errs, s.tagsChanged(nil, stream)...)
errs = append(errs, validation.ValidateImageStream(stream)...)
return errs
}
// List retrieves a list of Projects that match label.
func (s *REST) List(ctx kapi.Context, label labels.Selector, field fields.Selector) (runtime.Object, error) {
user, ok := kapi.UserFrom(ctx)
if !ok {
return nil, kerrors.NewForbidden("Project", "", fmt.Errorf("unable to list projects without a user on the context"))
}
namespaceList, err := s.lister.List(user)
if err != nil {
return nil, err
}
return convertNamespaceList(namespaceList), nil
}
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
if !ok {
return nil, kerrors.NewBadRequest(fmt.Sprintf("not a subjectAccessReview: %#v", obj))
}
if err := kutilerrors.NewAggregate(authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview)); err != nil {
return nil, err
}
var userToCheck user.Info
if (len(subjectAccessReview.User) == 0) && (len(subjectAccessReview.Groups) == 0) {
// if no user or group was specified, use the info from the context
ctxUser, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kerrors.NewBadRequest("user missing from context")
}
userToCheck = ctxUser
} else {
userToCheck = &user.DefaultInfo{
Name: subjectAccessReview.User,
Groups: subjectAccessReview.Groups.List(),
}
}
namespace := kapi.NamespaceValue(ctx)
requestContext := kapi.WithUser(ctx, userToCheck)
attributes := &authorizer.DefaultAuthorizationAttributes{
Verb: subjectAccessReview.Verb,
Resource: subjectAccessReview.Resource,
}
allowed, reason, err := r.authorizer.Authorize(requestContext, attributes)
if err != nil {
return nil, err
}
response := &authorizationapi.SubjectAccessReviewResponse{
Namespace: namespace,
Allowed: allowed,
Reason: reason,
}
return response, nil
}
// ConnectResource returns a function that handles a connect request on a rest.Storage object.
func ConnectResource(connecter rest.Connecter, scope RequestScope, admit admission.Interface, connectOptionsKind, restPath string, subpath bool, subpathKey string) restful.RouteFunction {
return func(req *restful.Request, res *restful.Response) {
w := res.ResponseWriter
namespace, name, err := scope.Namer.Name(req)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
ctx := scope.ContextFunc(req)
ctx = api.WithNamespace(ctx, namespace)
opts, err := getRequestOptions(req, scope, connectOptionsKind, subpath, subpathKey)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
if admit.Handles(admission.Connect) {
connectRequest := &rest.ConnectRequest{
Name: name,
Options: opts,
ResourcePath: restPath,
}
userInfo, _ := api.UserFrom(ctx)
err = admit.Admit(admission.NewAttributesRecord(connectRequest, scope.Kind, namespace, name, scope.Resource, scope.Subresource, admission.Connect, userInfo))
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
handler, err := connecter.Connect(ctx, name, opts)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
handler.ServeHTTP(w, req.Request)
err = handler.RequestError()
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
}
func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes AuthorizationAttributes) (bool, string, error) {
attributes := coerceToDefaultAuthorizationAttributes(passedAttributes)
// keep track of errors in case we are unable to authorize the action.
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
// This is most common when a bound role is missing, but enough roles are still present and bound to authorize the request.
errs := []error{}
masterContext := kapi.WithNamespace(ctx, kapi.NamespaceNone)
globalAllowed, globalReason, err := a.authorizeWithNamespaceRules(masterContext, attributes)
if globalAllowed {
return true, globalReason, nil
}
if err != nil {
errs = append(errs, err)
}
namespace, _ := kapi.NamespaceFrom(ctx)
if len(namespace) != 0 {
namespaceAllowed, namespaceReason, err := a.authorizeWithNamespaceRules(ctx, attributes)
if namespaceAllowed {
return true, namespaceReason, nil
}
if err != nil {
errs = append(errs, err)
}
}
if len(errs) > 0 {
return false, "", kerrors.NewAggregate(errs)
}
user, _ := kapi.UserFrom(ctx)
denyReason, err := a.forbiddenMessageMaker.MakeMessage(MessageContext{user, namespace, attributes})
if err != nil {
denyReason = err.Error()
}
return false, denyReason, nil
}
// Get retrieves the item from etcd.
func (r *REST) Get(ctx kapi.Context, name string) (runtime.Object, error) {
// "~" means the currently authenticated user
if name == "~" {
user, ok := kapi.UserFrom(ctx)
if !ok || user.GetName() == "" {
return nil, kerrs.NewForbidden("user", "~", errors.New("requests to ~ must be authenticated"))
}
name = user.GetName()
// remove the known virtual groups from the list if they are present
contextGroups := kutil.NewStringSet(user.GetGroups()...)
contextGroups.Delete(bootstrappolicy.UnauthenticatedGroup, bootstrappolicy.AuthenticatedGroup)
if ok, _ := validation.ValidateUserName(name, false); !ok {
// The user the authentication layer has identified cannot possibly be a persisted user
// Return an API representation of the virtual user
return &api.User{ObjectMeta: kapi.ObjectMeta{Name: name}, Groups: contextGroups.List()}, nil
}
obj, err := r.Etcd.Get(ctx, name)
if err == nil {
return obj, nil
}
if !kerrs.IsNotFound(err) {
return nil, err
}
return &api.User{ObjectMeta: kapi.ObjectMeta{Name: name}, Groups: contextGroups.List()}, nil
}
if ok, details := validation.ValidateUserName(name, false); !ok {
return nil, fielderrors.NewFieldInvalid("metadata.name", name, details)
}
return r.Etcd.Get(ctx, name)
}
func (r *REST) List(ctx kapi.Context, label labels.Selector, field fields.Selector) (runtime.Object, error) {
userInfo, exists := kapi.UserFrom(ctx)
if !exists {
return nil, errors.New("a user must be provided")
}
// the caller might not have permission to run a subject access review (he has it by default, but it could have been removed).
// So we'll escalate for the subject access review to determine rights
accessReview := &authorizationapi.SubjectAccessReview{
Verb: "create",
Resource: "projectrequests",
User: userInfo.GetName(),
Groups: util.NewStringSet(userInfo.GetGroups()...),
}
accessReviewResponse, err := r.openshiftClient.ClusterSubjectAccessReviews().Create(accessReview)
if err != nil {
return nil, err
}
if accessReviewResponse.Allowed {
return &kapi.Status{Status: kapi.StatusSuccess}, nil
}
forbiddenError, _ := kapierror.NewForbidden("ProjectRequest", "", errors.New("you may not request a new project via this API.")).(*kapierror.StatusError)
if len(r.message) > 0 {
forbiddenError.ErrStatus.Message = r.message
forbiddenError.ErrStatus.Details = &kapi.StatusDetails{
Kind: "ProjectRequest",
Causes: []kapi.StatusCause{
{Message: r.message},
},
}
} else {
forbiddenError.ErrStatus.Message = "You may not request a new project via this API."
}
return nil, forbiddenError
}
// UpdateResource returns a function that will handle a resource update
func UpdateResource(r rest.Updater, scope RequestScope, typer runtime.ObjectTyper, admit admission.Interface) restful.RouteFunction {
return func(req *restful.Request, res *restful.Response) {
w := res.ResponseWriter
// TODO: we either want to remove timeout or document it (if we document, move timeout out of this function and declare it in api_installer)
timeout := parseTimeout(req.Request.URL.Query().Get("timeout"))
namespace, name, err := scope.Namer.Name(req)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
ctx := scope.ContextFunc(req)
ctx = api.WithNamespace(ctx, namespace)
body, err := readBody(req.Request)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
obj := r.New()
if err := scope.Codec.DecodeInto(body, obj); err != nil {
err = transformDecodeError(typer, err, obj, body)
errorJSON(err, scope.Codec, w)
return
}
if err := checkName(obj, name, namespace, scope.Namer); err != nil {
errorJSON(err, scope.Codec, w)
return
}
if admit.Handles(admission.Update) {
userInfo, _ := api.UserFrom(ctx)
err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, admission.Update, userInfo))
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
wasCreated := false
result, err := finishRequest(timeout, func() (runtime.Object, error) {
obj, created, err := r.Update(ctx, obj)
wasCreated = created
return obj, err
})
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
if err := setSelfLink(result, req, scope.Namer); err != nil {
errorJSON(err, scope.Codec, w)
return
}
status := http.StatusOK
if wasCreated {
status = http.StatusCreated
}
writeJSON(status, scope.Codec, result, w, isPrettyPrint(req.Request))
}
}
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
if err := rest.BeforeCreate(projectrequestregistry.Strategy, ctx, obj); err != nil {
return nil, err
}
projectRequest := obj.(*projectapi.ProjectRequest)
if _, err := r.openshiftClient.Projects().Get(projectRequest.Name); err == nil {
return nil, kapierror.NewAlreadyExists("project", projectRequest.Name)
}
projectName := projectRequest.Name
projectAdmin := ""
if userInfo, exists := kapi.UserFrom(ctx); exists {
projectAdmin = userInfo.GetName()
}
template, err := r.getTemplate()
if err != nil {
return nil, err
}
for i := range template.Parameters {
switch template.Parameters[i].Name {
case ProjectAdminUserParam:
template.Parameters[i].Value = projectAdmin
case ProjectDescriptionParam:
template.Parameters[i].Value = projectRequest.Description
case ProjectDisplayNameParam:
template.Parameters[i].Value = projectRequest.DisplayName
case ProjectNameParam:
template.Parameters[i].Value = projectName
}
}
list, err := r.openshiftClient.TemplateConfigs(kapi.NamespaceDefault).Create(template)
if err != nil {
return nil, err
}
if err := utilerrors.NewAggregate(runtime.DecodeList(list.Objects, kapi.Scheme)); err != nil {
return nil, kapierror.NewInternalError(err)
}
// one of the items in this list should be the project. We are going to locate it, remove it from the list, create it separately
var projectFromTemplate *projectapi.Project
objectsToCreate := &kapi.List{}
for i := range list.Objects {
if templateProject, ok := list.Objects[i].(*projectapi.Project); ok {
projectFromTemplate = templateProject
if len(list.Objects) > (i + 1) {
objectsToCreate.Items = append(objectsToCreate.Items, list.Objects[i+1:]...)
}
break
}
objectsToCreate.Items = append(objectsToCreate.Items, list.Objects[i])
}
if projectFromTemplate == nil {
return nil, kapierror.NewInternalError(fmt.Errorf("the project template (%s/%s) is not correctly configured: must contain a project resource", r.templateNamespace, r.templateName))
}
// we split out project creation separately so that in a case of racers for the same project, only one will win and create the rest of their template objects
if _, err := r.openshiftClient.Projects().Create(projectFromTemplate); err != nil {
return nil, err
}
bulk := configcmd.Bulk{
Mapper: latest.RESTMapper,
Typer: kapi.Scheme,
RESTClientFactory: func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
return r.openshiftClient, nil
},
}
if err := utilerrors.NewAggregate(bulk.Create(objectsToCreate, projectName)); err != nil {
return nil, kapierror.NewInternalError(err)
}
return r.openshiftClient.Projects().Get(projectName)
}
// DeleteResource returns a function that will handle a resource deletion
func DeleteResource(r rest.GracefulDeleter, checkBody bool, scope RequestScope, admit admission.Interface) restful.RouteFunction {
return func(req *restful.Request, res *restful.Response) {
w := res.ResponseWriter
// TODO: we either want to remove timeout or document it (if we document, move timeout out of this function and declare it in api_installer)
timeout := parseTimeout(req.Request.URL.Query().Get("timeout"))
namespace, name, err := scope.Namer.Name(req)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
ctx := scope.ContextFunc(req)
ctx = api.WithNamespace(ctx, namespace)
options := &api.DeleteOptions{}
if checkBody {
body, err := readBody(req.Request)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
if len(body) > 0 {
if err := scope.Codec.DecodeInto(body, options); err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
}
if admit.Handles(admission.Delete) {
userInfo, _ := api.UserFrom(ctx)
err = admit.Admit(admission.NewAttributesRecord(nil, scope.Kind, namespace, scope.Resource, admission.Delete, userInfo))
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
result, err := finishRequest(timeout, func() (runtime.Object, error) {
return r.Delete(ctx, name, options)
})
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
// if the rest.Deleter returns a nil object, fill out a status. Callers may return a valid
// object with the response.
if result == nil {
result = &api.Status{
Status: api.StatusSuccess,
Code: http.StatusOK,
Details: &api.StatusDetails{
ID: name,
Kind: scope.Kind,
},
}
} else {
// when a non-status response is returned, set the self link
if _, ok := result.(*api.Status); !ok {
if err := setSelfLink(result, req, scope.Namer); err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
}
write(http.StatusOK, scope.APIVersion, scope.Codec, result, w, req.Request)
}
}
// PatchResource returns a function that will handle a resource patch
// TODO: Eventually PatchResource should just use GuaranteedUpdate and this routine should be a bit cleaner
func PatchResource(r rest.Patcher, scope RequestScope, typer runtime.ObjectTyper, admit admission.Interface, converter runtime.ObjectConvertor) restful.RouteFunction {
return func(req *restful.Request, res *restful.Response) {
w := res.ResponseWriter
// TODO: we either want to remove timeout or document it (if we
// document, move timeout out of this function and declare it in
// api_installer)
timeout := parseTimeout(req.Request.URL.Query().Get("timeout"))
namespace, name, err := scope.Namer.Name(req)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
obj := r.New()
ctx := scope.ContextFunc(req)
ctx = api.WithNamespace(ctx, namespace)
// PATCH requires same permission as UPDATE
if admit.Handles(admission.Update) {
userInfo, _ := api.UserFrom(ctx)
err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, admission.Update, userInfo))
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
versionedObj, err := converter.ConvertToVersion(obj, scope.APIVersion)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
original, err := r.Get(ctx, name)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
originalObjJS, err := scope.Codec.Encode(original)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
patchJS, err := readBody(req.Request)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
contentType := req.HeaderParameter("Content-Type")
patchedObjJS, err := getPatchedJS(contentType, originalObjJS, patchJS, versionedObj)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
if err := scope.Codec.DecodeInto(patchedObjJS, obj); err != nil {
errorJSON(err, scope.Codec, w)
return
}
if err := checkName(obj, name, namespace, scope.Namer); err != nil {
errorJSON(err, scope.Codec, w)
return
}
result, err := finishRequest(timeout, func() (runtime.Object, error) {
// update should never create as previous get would fail
obj, _, err := r.Update(ctx, obj)
return obj, err
})
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
if err := setSelfLink(result, req, scope.Namer); err != nil {
errorJSON(err, scope.Codec, w)
return
}
write(http.StatusOK, scope.APIVersion, scope.Codec, result, w, req.Request)
}
}
func createHandler(r rest.NamedCreater, scope RequestScope, typer runtime.ObjectTyper, admit admission.Interface, includeName bool) restful.RouteFunction {
return func(req *restful.Request, res *restful.Response) {
w := res.ResponseWriter
// TODO: we either want to remove timeout or document it (if we document, move timeout out of this function and declare it in api_installer)
timeout := parseTimeout(req.Request.URL.Query().Get("timeout"))
var (
namespace, name string
err error
)
if includeName {
namespace, name, err = scope.Namer.Name(req)
} else {
namespace, err = scope.Namer.Namespace(req)
}
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
ctx := scope.ContextFunc(req)
ctx = api.WithNamespace(ctx, namespace)
body, err := readBody(req.Request)
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
obj := r.New()
if err := scope.Codec.DecodeInto(body, obj); err != nil {
err = transformDecodeError(typer, err, obj, body)
errorJSON(err, scope.Codec, w)
return
}
if admit.Handles(admission.Create) {
userInfo, _ := api.UserFrom(ctx)
err = admit.Admit(admission.NewAttributesRecord(obj, scope.Kind, namespace, scope.Resource, admission.Create, userInfo))
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
}
result, err := finishRequest(timeout, func() (runtime.Object, error) {
out, err := r.Create(ctx, name, obj)
if status, ok := out.(*api.Status); ok && err == nil && status.Code == 0 {
status.Code = http.StatusCreated
}
return out, err
})
if err != nil {
errorJSON(err, scope.Codec, w)
return
}
if err := setSelfLink(result, req, scope.Namer); err != nil {
errorJSON(err, scope.Codec, w)
return
}
write(http.StatusCreated, scope.APIVersion, scope.Codec, result, w, req.Request)
}
}